Sunday, December 5, 2010

Tracing Library/DLL calls on Win32

I have searched for a program to verify all the sectors of a hard drive, to detect errors. Obviously, formatting the drive is one method, but I actually found that the format did not pick up bad sectors that I knew were on the hard drive. After some searching I found a program called “HD Tune” which has an option to perform an “Error Scan” on a disk. Using this utility, it successfully detected the error spots on the disk.

It would be nice to write such a utility myself. But how? Ideally I would be able to detect all the mounted disks on the system, determine the size and geometry, determine the number of sectors on the disk and perform a Read operation on each sector- looking for errors. I would imagine the KERNEL32 function DeviceIoControl() will play a major part of it.

A quick investigation did not turn up anything promising. So how does HD Tune do it? Good question. I never really played around with any sort of process spying utilities, at least not in a long time, so I fired up Spy++. It’s good at spying on window messages, but what I want to know is what external Win32 DLL functions was it calling. Spy++ won’t let you see that. So another Google hunt for an answer.

Before getting into that, another question of interest is determining DLL dependencies. What DLL’s is a processes using? To answer that, one good utility is Dependency Walker, which can be found at http://www.dependencywalker.com/

Now I can see all the KERNEL32.DLL functions being called by HD Tune. The next step is to be able to see the actual calls being made, with parameters and return values. Can we find a utility to do this? Let’s find out!

One method, and arguably the most elegent, of viewing calls made by a process is via a technique called Import Address Table (IAT) patching. Executable programs on windows and DLL’s are built on the Portable Execution (PE) file format. One section in this format is called .idata contains a table (yeah, you got it, the Import Address Table) with names of imported functions. An interesting article on this is "API Spying Techniques for Windows 9x, NT and 2000" by Yariv Kaplan at http://www.internals.com/articles/apispy/apispy.htm. Not only does the table list the functions called, but they act as a jump table. That is, when a function is called, it is done through an indirect JMP of the function in the IAT. That turns out to be a perfect spot to intercept the call.

Quickly searching around, we can find a few candidates in the field:

APISPY32 – An older program originally written for Windows 95. Indication is that it works under Windows 2000 and XP also. Available as a ZIP download at http://www.wheaty.net/ – direct download link is Updated APISPY32. At this time, I’m not going to look at this one; instead I’ll focus on the following two.

Unfortunately, under Windows 7 (at least), I was not able to get STraceNT to run HDTune.EXE or even a simple CRC32.exe program that I wrote. It could be a Windows 7 issue. So I’ll fire up Windows XP on a Virtual PC and see if it will run on there. (5 minutes later!) Yes, it seems to be working fine under Windows XP, so it seems to be an issue with running under Windows 7.

Detours

Detours, from Microsoft Research, is not an application; it’s a library. With it, you can develop your own utility much like STraceNT. In fact, that’s just one of the things you can do with it. One of the samples (C++ code) is an utility like STraceNT that shows how to intercept and log some 1400+ Win32 API function calls. At least one person has used Detours to make such a utility (no source code)- see http://dev.depeuter.org/xptruss.php